From 0a23b02e4b16dddfdcee6b10670a3a8f36d6cd50 Mon Sep 17 00:00:00 2001
From: smarcet <smarcet@gmail.com>
Date: Fri, 28 Feb 2020 22:22:47 -0300
Subject: [PATCH] Refactored offline_access

User can not explicitly delete offline_access scope
once is granted.

Change-Id: I3e94e4afeccf1050a3d20cde738a960b5aea4d3b
Signed-off-by: smarcet <smarcet@gmail.com>
---
 app/Models/OAuth2/Client.php                  |  8 ++++++++
 app/Models/OAuth2/Factories/ClientFactory.php |  7 ++-----
 app/Services/OAuth2/ClientService.php         | 10 ++++++++--
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/app/Models/OAuth2/Client.php b/app/Models/OAuth2/Client.php
index 5f18f02d..592f841b 100644
--- a/app/Models/OAuth2/Client.php
+++ b/app/Models/OAuth2/Client.php
@@ -426,6 +426,14 @@ class Client extends BaseEntity implements IClient
         $this->client_type = $this->infereClientTypeFromAppType($this->application_type);
     }
 
+    /**
+     * @return bool
+     */
+    public function canRequestRefreshTokens():bool{
+        return $this->getApplicationType() == IClient::ApplicationType_Native ||
+            $this->getApplicationType() == IClient::ApplicationType_Web_App;
+    }
+
     /**
      * @param string $app_type
      * @return string
diff --git a/app/Models/OAuth2/Factories/ClientFactory.php b/app/Models/OAuth2/Factories/ClientFactory.php
index db18acaf..577e6cef 100644
--- a/app/Models/OAuth2/Factories/ClientFactory.php
+++ b/app/Models/OAuth2/Factories/ClientFactory.php
@@ -39,11 +39,8 @@ final class ClientFactory
         foreach ($scope_repository->getDefaults() as $default_scope) {
             if
             (
-                $default_scope->getName() === OAuth2Protocol::OfflineAccess_Scope &&
-                !(
-                    $client->getApplicationType() == IClient::ApplicationType_Native ||
-                    $client->getApplicationType() == IClient::ApplicationType_Web_App
-                )
+                $default_scope->getName() === OAuth2Protocol::OfflineAccess_Scope
+                && !$client->canRequestRefreshTokens()
             ) {
                 continue;
             }
diff --git a/app/Services/OAuth2/ClientService.php b/app/Services/OAuth2/ClientService.php
index bcdfc7f7..9d9887bd 100644
--- a/app/Services/OAuth2/ClientService.php
+++ b/app/Services/OAuth2/ClientService.php
@@ -373,11 +373,17 @@ final class ClientService extends AbstractService implements IClientService
         return $this->tx_service->transaction(function() use ($id, $scope_id){
             $client = $this->client_repository->getById($id);
             if (is_null($client) || !$client instanceof Client) {
-                throw new EntityNotFoundException(sprintf("client id %s does not exists!", $id));
+                throw new EntityNotFoundException(sprintf("Client id %s does not exists.", $id));
             }
             $scope = $this->scope_repository->getById($scope_id);
             if (is_null($scope) || !$scope instanceof ApiScope) {
-                throw new EntityNotFoundException(sprintf("scope id %s does not exists!", $scope_id));
+                throw new EntityNotFoundException(sprintf("Scope id %s does not exists.", $scope_id));
+            }
+            if($scope->getName() == OAuth2Protocol::OpenIdConnect_Scope){
+                throw new ValidationException(sprintf("Scope %s can not be removed.",  OAuth2Protocol::OpenIdConnect_Scope));
+            }
+            if($scope->getName() == OAuth2Protocol::OfflineAccess_Scope && $client->canRequestRefreshTokens()){
+                throw new ValidationException(sprintf("Scope %s can not be removed.",  OAuth2Protocol::OfflineAccess_Scope));
             }
             $client->removeScope($scope);
             $client->setEditedBy($this->auth_service->getCurrentUser());